Page 1 of 2 12 LastLast
Results 1 to 40 of 61
  1. #1
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,521

    How to (somewhat) secure a Linux Server

    While the only way to secure a server 100% is to unplug it from the network, there are quite a few things that I do to enhance security. A few of them (the non client exclusive stuff) can be found right here. Questions, as always can be asked and I'll try to explain it as easily as humanly possible.
    Anything added
    Code:
    like this
    should be added to the file right above it, using whatever shell editor you choose (vi, pico, etc).

    in /etc/sysctl.conf, add
    Code:
    # disable packet forwarding
    net.ipv4.ip_forward = 0
    # enable source route verification
    net.ipv4.conf.all.rp_filter = 1
    # ignore broadcast pings
    net.ipv4.icmp_echo_ignore_broadcasts = 1
    # enable syn cookies
    net.ipv4.tcp_syncookies = 1
    # size of syn backlog
    net.ipv4.tcp_max_syn_backlog = 512
    # disable automatic defragmentation 
    # set max files
    fs.file-max = 32768
    # Enable IP spoofing protection, turn on Source Address Verification
    net.ipv4.conf.all.rp_filter = 1
    # Enable TCP SYN Cookie Protection
    net.ipv4.tcp_syncookies = 1
    # Enable ignoring ping request
    net.ipv4.icmp_echo_ignore_all = 1
    What does this do?
    This sets a variety of code for the linux OS to use itself. It tells the system to ignore pings, icmp, enable SYN protection, disable network forwarding and more.
    Please note
    After doing this, you will need to restart your network (generally rebooting the server works fine).

    in /etc/rc.local, add
    Code:
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 >
    done
    echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 >
    done
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
    This does much of the same thing as the above, it's more repetitive, but it's another layer of 'security' as it were. ICMP is denied, broadcasts denied, tcp syn is denied.

    in /etc/host.conf, the following is added (if it doesn't exist already)
    Code:
    # Lookup names via DNS first then fall back to /etc/hosts.
    order bind,hosts
    # We have machines with multiple IP addresses.
    multi on
    # Check for IP address spoofing.
    nospoof on
    The comments are quite clear on this one. The first uses bind, then hosts to lookup domain names. The second says we have machines with multiple ip addresses (in many cases it's important). The third (somewhat) prevents individuals from "spoofing" an ip address and hitting up your server.

    In /etc/hosts.deny, the following line is added:
    Code:
    ALL: PARANOID
    More "spoof" protection there.

    From there, it's time for the firewall. The firewall is the most important thing to a linux server. Without it, you can be literally killed. With it, you are somewhat defended and protected. While no good firewall will fully protect a Linux server, it's an extra layer of security, which is a very good thing.
    Personally, I use APF which maintains a decent ballance between blocking ports you don't want accessed and limiting traffic. There's also a wonderful attempt at a ddos protection system in place there. While (again) no ddos protection can work on a TRUE ddos, it'll stop a number of attacks.

    From there, it's time for the kernel. Look around for a tutorial on kernels. You can either custom compile the kernel (not recommended unless you're highly familliar with Linux) or use an RPM (or whatever package system you're using).

    Compiling a kernel is NOT recommended on non local machines. Why? Because if you screw something up, you have no chance at hitting that power down button, starting up in single user mode and recompiling it. You have to wait for the datacenter to respond to the ticket, which (usually) is slow and very costly.


    There are a variety of other (personal) configuration changes that I make to applications, to prevent them from overloading, such as:
    proftpd:
    in /etc/proftpd.conf, I add:
    Code:
    TimeoutIdle 600
    TimeoutNoTransfer 600
    TimeoutLogin 300
    MaxInstances 30
    MaxClientsPerHost 2
    at the top. This is pretty much self explanatory

    for mysql:
    in /etc/my.cnf (or wherever my.cnf is located)
    Code:
    [mysqld]
    port            = 3306
    skip-locking
    set-variable    = max_connections=100
    set-variable    = max_user_connections=20
    set-variable    = key_buffer=16M
    set-variable    = join_buffer=4M
    set-variable    = record_buffer=4M
    set-variable    = sort_buffer=6M
    set-variable    = table_cache=1024
    set-variable    = myisam_sort_buffer_size=32M
    set-variable    = interactive_timeout=100
    set-variable    = wait_timeout=100
    set-variable    = connect_timeout=10
    set-variable    = thread_cache_size=128
    And finally, in /etc/rc.local, I add:
    Code:
    TMOUT=180
    export TMOUT
    at the bottom. This logs everyone off if they're idle for more than 3 minutes. Adjust that at will, it goes by seconds, so say 300 seconds would be 5 minutes, 600 would be 10 minutes idle, etc.

    There's a number of other security tricks that I use , such as:
    limiting ssh access
    in /etc/hosts.deny
    Code:
    sshd: ALL
    in /etc/hosts.allow
    Code:
    sshd: host.ip.number.1,host.ip.number.2,etc
    Some would eliminate root login, but I wouldn't take it that far. If your server is properly monitored, you won't need to elliminate it.

    Some would suggest using tripwire, and at the beginning, I did, as well, until I started working with hosts who had real data on their server, and it (literally) crippled the servers. Tripwire is something that will check everything on your server to ensure that it's running smoothly, and that it hasn't been modified. The downside to that is if you've got a ton of files on the server, it loads the server down untill it just can't be accessed any longer. The same goes with updatedb, which is why I actually remove the cron entry for that as well.

    Unfortunately, there's no real "automation" for security and systems administration. The best key in the game is knowing your logs, reading them, understanding what they say, and how to react based on it. As well, tools such as chkrootkit and FAF will help, and knowing as well as working with Linux for years helps. A lot of the security job is knowing when to react, and just exactly how to react, as well as being informed. If you don't know something, ask, especially if it looks suspicious

  2. #2
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,267
    Aide is also good in replacement for tripwire
    Last edited by anon-e-mouse; 01-26-2004 at 09:50 AM.

  3. #3
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,521
    got a link? I'm always looking for new toys (errm utilities) to play with
    Last edited by anon-e-mouse; 01-26-2004 at 09:51 AM.

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,267
    Last edited by anon-e-mouse; 01-26-2004 at 09:52 AM.

  5. #5
    Join Date
    Oct 2002
    Posts
    702
    Compiling a kernel is NOT recommended on non local machines
    You might want to change that to remote instead of local.
    Last edited by anon-e-mouse; 01-26-2004 at 09:52 AM.

  6. #6
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,790
    Originally posted by TheVoice
    You might want to change that to remote instead of local.
    Doesn't this same meaning?
    non local and remote?
    Or you mean:
    Compiling a kernel is NOT recommended on non remote machines
    instead of:
    Compiling a kernel is NOT recommended on non local machines

  7. #7
    Join Date
    Oct 2002
    Posts
    702
    I really should stop posting at 3 in the morning
    Last edited by anon-e-mouse; 01-26-2004 at 09:53 AM.

  8. #8
    Join Date
    Mar 2003
    Location
    Kansas City, MO
    Posts
    66
    This post was helpful. THank you.
    Last edited by anon-e-mouse; 01-26-2004 at 09:55 AM.

  9. #9
    Join Date
    Jul 2002
    Location
    USA
    Posts
    1,125
    Nice post and information. Very appreciated.
    Last edited by anon-e-mouse; 01-26-2004 at 09:54 AM.

  10. #10
    I see no reason for disabling ICMP - can anyone explain?

    regards,
    M.
    Last edited by anon-e-mouse; 01-26-2004 at 09:55 AM.

  11. #11
    Join Date
    Aug 2002
    Location
    Chandler, Arizona
    Posts
    2,564
    Originally posted by Miha
    I see no reason for disabling ICMP - can anyone explain?

    regards,
    M.
    Prevents pinging. I guess in a DDoS attack that's a good thing.
    Last edited by interactive; 01-26-2004 at 12:25 PM.

  12. #12
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,790
    Quoted from Security-HOWTO:
    Ping flooding is a simple brute-force denial of service attack. The attacker sends a "flood" of ICMP packets to your machine. If they are doing this from a host with better bandwidth than yours, your machine will be unable to send anything on the network. A variation on this attack, called "smurfing", sends ICMP packets to a host with your machine's return IP, allowing them to flood you less detectably. You can find more information about the "smurf" attack here.

  13. #13
    actually ICMP packets are being "cut" at the router (your closest router, to be correct). Try doing "ping -f -s 40000 somehost.com" for example - you will see a lot (more than 50%; probably close to 90%) of packets getting lost. Your provider won't allow such action most likely, unless, of course, there is some very old router that allows you to pass such amount of ICMP packets per second.
    I remember when one could knock Win98 with "ping -f" (ping of death), but this is not an issue anymore.
    ICMP pings are useless these days, and I can't remember any host/network suffering from ICMP flood for the past "N" years.

    regards,
    M.

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:13 PM.

  14. #14
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,521
    Actually, you're wrong
    Just because the -f option to ping is limited doesn't mean ping can't be used to launch any sort of attack against a server. The best response is to nullroute icmp alltogether.

    It's entirely possible to flood a server, not with packets but with data, which customer has to pay for, and (usually) ends up crippling a server until whoever is doing it has decided they are done.

    If ping flooding were disabled, or weren't such a common thing, then datacenters wouldn't have a single problem, but, it is, unfortunately. ICMP is a very dangerous protocol to leave open on your server.

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:13 PM.

  15. #15
    Originally posted by wolfstream
    Actually, you're wrong
    Just because the -f option to ping is limited doesn't mean ping can't be used to launch any sort of attack against a server. The best response is to nullroute icmp alltogether.
    hm, I think I've covered that in my last post - most (if not all) providers have decent routers. This problem with ICMP flood is not a problem anymore - nearly all routers limit the ICMP packet rate and size of ICMP packet. I don't think you will be able to send a packet larger than 67k of data - router simply won't accept it.

    It's entirely possible to flood a server, not with packets but with data, which customer has to pay for, and (usually) ends up crippling a server until whoever is doing it has decided they are done.
    again, if you sent 10.000 echo requests, it does not mean destination will take all of them because routers will cut more than 3/4th of it, unless you send 1 packet per second, as suggested, which isn't going to cause you flood with terabytes of bandwidth.

    If ping flooding were disabled, or weren't such a common thing, then datacenters wouldn't have a single problem, but, it is, unfortunately. ICMP is a very dangerous protocol to leave open on your server.
    however, statistics show that targeted attack on specific service is more common and more dangerous than simple ICMP flood, which isn't a flood, eventually.

    regards,
    M.

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:14 PM.

  16. #16
    Post has been helpful...Thanks!

  17. #17
    Join Date
    Nov 2003
    Posts
    324
    Is this safe to do on a RHE server with Cpanel?

  18. #18
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,521
    Originally posted by damainman
    Is this safe to do on a RHE server with Cpanel?
    I (personally) haven't tried this on RHE, but I don't see how it'd be much different. The core is the same.

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:14 PM.

  19. #19
    Join Date
    Nov 2003
    Posts
    324
    thanks,

    Now its that i know some code, not much but something have changed for RHE, then RH9... For example disabling recurssive look ups.

    Any known conflicts with cpanel?

  20. #20
    Join Date
    Nov 2003
    Posts
    324
    Thanks for the tutorial, very easy to follow.

  21. #21
    Join Date
    Jan 2004
    Posts
    31
    Just the info I was looking for.

  22. #22
    ( i can't ssh to my server after i do what u said ( . What now ??

  23. #23
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,521
    Have your DC login and move hosts.deny and hosts.allow to hosts.deny.bak and hosts.allow.bak.
    Make sure your ip is in the exclusion line that I mentioned above.

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:15 PM.

  24. #24
    but i did not do anything in those files !!!! .

  25. #25
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,521
    then you didn't do what I suggested I've had servers running on the same scripts and setup for over 2 years without a problem. The only time you'd get denied ssh access is if:
    A> you've blocked ssh without allowing your own ip
    OR
    B> you've got an ip[ that doesn't resolve correctly.

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:15 PM.

  26. #26
    yes , i can login now . may be my network suck

  27. #27
    Join Date
    Mar 2002
    Location
    Philadelphia, PA
    Posts
    2,508
    Great tutorial

    <edit>signature removed</edit>
    Last edited by choon; 02-09-2004 at 09:15 PM.

  28. #28

    Re: How to (somewhat) secure a Linux Server

    How do I keep myself unblocked from SSH if my ISP assigns me a new Dynamic Ip every 36 hours ?



    There's a number of other security tricks that I use , such as:
    limiting ssh access
    in /etc/hosts.deny
    Code:
    sshd: ALL
    in /etc/hosts.allow
    Code:
    sshd: host.ip.number.1,host.ip.number.2,etc
    Some would eliminate root login, but I wouldn't take it that far. If your server is properly monitored, you won't need to elliminate it.
    <edit>signature removed</edit>
    Last edited by choon; 02-23-2004 at 09:32 PM.

  29. #29
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,790
    If your ISP issuing IP range is 123.456.789.x
    Then just use 123.456.789.
    Just my thoughts

  30. #30
    I wish they were issuing Ip Ranges, my isp is cox and I'm pretty sure they don't just change ip ranges but entire blocks, Ie my last ip was 67.110.47.64 and my new one well is way differen't then the old one

    <edit>signature removed</edit>
    Last edited by choon; 02-23-2004 at 09:37 PM.

  31. #31
    Join Date
    Jul 2001
    Location
    Singapore
    Posts
    1,790
    Then no choice allow ALL?

    P.S. Please turn off your signature as signatures are not allowed in all HOWTO forums.

  32. #32
    Sorry for the sig, I did not know sigs were not allowed in the how-to forum. I'm gonna go ask cox business side to see if I can talk them into giving me a static ip, if all else fails I'll undo that edit thanks for your help

  33. #33
    Join Date
    Mar 2004
    Location
    Venezuela
    Posts
    79
    I posted this on another Security thready in the How To forum, maybe you guys might find it useful too

    1)Conduct a Security Audit on the box and create a report for it.

    (a)Check intrusion Detection.Use chkrootkit for this purpose.Update the report with these details.

    chkrootkit is very straightforward, installation is pretty simple.
    Once chkrootkit is installed, run it from the command line, it should return lines like this:

    ROOTDIR is `/'
    Checking `amd'... not found
    Checking `basename'... not infected
    Checking `biff'... not infected
    Checking `chfn'... not infected
    Checking `chsh'... not infected
    Checking `cron'... not infected
    Checking `date'... not infected
    Checking `du'... not infected
    Checking `dirname'... not infected
    Checking `echo'... not infected
    Checking `egrep'... not infected
    Checking `env'... not infected
    Checking `find'... not infected
    Checking `fingerd'... not found
    Checking `gpm'... not found
    Checking `grep'... not infected
    Checking `hdparm'... not infected
    Checking `su'... not infected
    Checking `ifconfig'... not infected
    Checking `inetd'... not infected
    Checking `inetdconf'... not infected
    Checking `identd'... not found
    Checking `killall'... not infected
    Checking `ldsopreload'... not infected
    Checking `login'... not infected
    Checking `ls'... not infected
    Checking `lsof'... not infected
    Checking `mail'... not infected
    Checking `mingetty'... not found
    Checking `netstat'... not infected
    Checking `named'... not infected
    Checking `passwd'... not infected
    Checking `pidof'... not infected
    Checking `pop2'... not found
    Checking `pop3'... not found
    Checking `ps'... not infected
    Checking `pstree'... not infected
    Checking `rpcinfo'... not infected
    Checking `rlogind'... not found
    Checking `rshd'... not found
    Checking `slogin'... not infected
    Checking `sendmail'... not infected
    Checking `sshd'... not infected
    Checking `syslogd'... not infected
    Checking `tar'... not infected
    Checking `tcpd'... not infected
    Checking `top'... not infected
    Checking `telnetd'... not found
    Checking `timed'... not found
    Checking `traceroute'... not found
    Checking `write'... not infected
    Checking `aliens'... no suspect files
    Searching for sniffer's logs, it may take a while... nothing found
    Searching for HiDrootkit's default dir... nothing found
    Searching for t0rn's default files and dirs... nothing found
    Searching for t0rn's v8 defaults... nothing found
    Searching for Lion Worm default files and dirs... nothing found
    Searching for RSHA's default files and dir... nothing found
    Searching for RH-Sharpe's default files... nothing found
    Searching for Ambient's rootkit (ark) default files and dirs... nothing found
    Searching for suspicious files and dirs, it may take a while... nothing found
    Searching for LPD Worm files and dirs... nothing found
    Searching for Ramen Worm files and dirs... nothing found
    Searching for Maniac files and dirs... nothing found
    Searching for RK17 files and dirs... nothing found
    Searching for Ducoci rootkit... nothing found
    Searching for Adore Worm... nothing found
    Searching for ShitC Worm... nothing found
    Searching for Omega Worm... nothing found
    Searching for Sadmind/IIS Worm... nothing found
    Searching for MonKit... nothing found
    Searching for anomalies in shell history files... nothing found
    Checking `asp'... not infected
    Checking `bindshell'... not infected
    Checking `lkm'... nothing detected
    Checking `rexedcs'... not found
    Checking `sniffer'... eth0 is not promisc
    Checking `wted'... nothing deleted
    Checking `z2'...
    nothing deleted

    This is a normal, chkrootkit output, if by anychance you find an INFECTED! I suggest checking throughly the binary of the said program.
    EXCEPTION: bindshell is known to say it's infected when running software like Portsentry, this is normal.



    (b)Check for bugs in softwares which is currently installed on the box.

    Very simple, start with checking your kernel version:
    uname -r
    2.4.25

    Then check for your services version, start with the mailserver, ftp, apache, mysql and others:
    Use, telnet to read this, or read the documentation about the software, an example should be:

    'telnet localhost 21' (FTP)
    telnet localhost 21
    Trying 127.0.0.1...
    Connected to yourserver
    Escape character is '^]'.
    220 yourserver Proftpd xxxxx FTP server ready.

    Where xxx is your server version, next you go to a security related website (www.securityfocus.com) and run a search for any security vulnerability for that version of FTP server.
    If none is found, go to the ftp server website, and see if your version is current.

    Repeat with all the other processes and upgrade when necessary


    (c)Scan all ports and find out which all are the unwanted ports open.Update the report with these details.

    Get NMAP from www.insecure.org

    Run a vanilla scan,
    'nmap localhost'

    A normal return should be

    Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
    Interesting ports on yourserver (127.0.0.1):
    (The 1547 ports scanned but not shown below are in state: closed)
    Port State Service
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    53/tcp open domain
    80/tcp open http
    110/tcp open pop-3
    443/tcp open https

    A really bad return should be

    Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
    Interesting ports on yourserver (127.0.0.1):
    (The 1525 ports scanned but not shown below are in state: closed)
    Port State Service
    1/tcp open tcpmux
    11/tcp open systat
    15/tcp open netstat
    21/tcp open ftp
    22/tcp open ssh
    25/tcp open smtp
    53/tcp open domain
    79/tcp open finger
    80/tcp open http
    110/tcp open pop-3
    111/tcp open sunrpc
    119/tcp open nntp
    143/tcp open imap2
    443/tcp open https
    540/tcp open uucp
    635/tcp open unknown
    1080/tcp open socks
    1524/tcp open ingreslock
    2000/tcp open callbook
    6667/tcp open irc
    12345/tcp open NetBus
    12346/tcp open NetBus
    27665/tcp open Trinoo_Master
    31337/tcp open Elite
    32771/tcp open sometimes-rpc5
    32772/tcp open sometimes-rpc7
    32773/tcp open sometimes-rpc9
    32774/tcp open sometimes-rpc11
    54320/tcp open bo2k

    As you can see this server is running a bunch of services we dont actually need, not to mention some trojans too , check where they come from, most of them run from inet.d (/etc/inetd.conf), some are run stand alone, find out the ones you need and the ones you dont need and kill them.



    (d)Check if /tmp is secured.Update the report with these details.

    chmod +t directory
    That will prevent non-owners of objects in directory (excepting
    superuser) from unlinking (removing, moving, etc.) objects in that
    directory. In general any world writable directory should always be
    protected this way (such as /tmp, /var/tmp, /var/spool/uucppublic (or
    substitute usr for var if appropriate on your system)).



    (e)Check for hidden processs.Update the report with these details.

    ps aux should show all of the processes, remember that in order to trust this information you need to trust that the ps binary hasnt been corrupted (that's why you should run chkrootkit first)
    IF you find any strange process that you dont know about, google it !


    (f)Check for bad blocks in all particular partition.(this is just to make sure

    that the system is ok).Update the report with these details.

    e2fsck -f -p -c /dev/hdxx should scan for bad blocks, however it needs to be done with the drive ummounted.



    (g)Check for file permissions.Update the report with these details.

    I have used a program called sherpa: http://oregonstate.edu/~creliar/sherpa/ that checks file systems permissions and other things



    (h)Check if kernel has ptrace vulnerability.Update the report with these details.
    All kernels up to 2.4.20 are vulnerable, a simple uname -r should tell you which version are you running. If you are running a vulnerable version, upgrade ASAP (www.kernel.org)

    <edit>signature removed</edit>
    Last edited by choon; 03-09-2004 at 11:37 AM.

  34. #34
    Join Date
    Mar 2004
    Location
    Venezuela
    Posts
    79
    (i)Check memory(This is to make sure that the memory is ok).Update the

    report with these details.

    You can use software like memtest86 to check the status of your memory, issuing a
    cat /proc/meminfo should return all the information available about your memory



    (j)Check for open relay .Update the report with these details.
    Open relays let spammers send email through your mail system without having to login to a known user.
    For detailed instructions, check http://mail-abuse.org/tsi/ar-fix.html





    (k)Check if the partitions have enough space.Update the report with these details.
    THe linux command 'df' should tell you how much space you have available.
    MY small webserver is partitioned like this:

    Filesystem 1k-blocks Used Available Use% Mounted on
    /dev/sda7 9614116 19256 9106488 1% /
    /dev/sda2 124443 1642 116375 2% /boot
    /dev/sda5 24027628 78572 22728520 1% /var
    /dev/sda6 9614116 701716 8424028 8% /usr
    /dev/sda9 166888792 812360 157598936 1% /home

    With /home and /var being the biggest partitions (home for the users and var for all the users logs)


    (l)Check for the size of logs.Its better that the log size remains in MBs.
    For this you can use programs like logrotate to rotate logs, also, a good way to keep logs in place is to burn them into a CDR/W-DVDR/W for storage



    (m) Do stress test on the box .Update the report with this details.

    I have heard good reviews about stresslinux, which is a bootable linux distro on a CD that it's sole purpose is to run stress tests on your system (You dont have to install it, just put the cd in the cdrom boot from it and let it run the tests)

    <edit>signature removed</edit>
    Last edited by choon; 03-09-2004 at 11:38 AM.

  35. #35
    Join Date
    May 2001
    Location
    Web Hosting Land
    Posts
    72
    Hey, at that host.deny and host.allow. with the recent torn root kit scare from the cpanel exploit, if you were to deny ALL from ssh but your ip address, would they be able to SSH in?

    <edit>signature removed</edit>
    Last edited by choon; 03-14-2004 at 04:29 AM.

  36. #36
    Join Date
    Jul 2003
    Posts
    527
    Originally posted by joesmoh
    Hey, at that host.deny and host.allow. with the recent torn root kit scare from the cpanel exploit, if you were to deny ALL from ssh but your ip address, would they be able to SSH in?
    i think they can because they will have a defrant port or another service running that ignores your hosts.deny

  37. #37
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,267
    they dont ssh in to plant it anyways. remove their backdoor and ur all good

    <edit>signature removed</edit>
    Last edited by choon; 03-14-2004 at 04:30 AM.

  38. #38
    Join Date
    Aug 2003
    Location
    Gods Own Country
    Posts
    869
    Please keep these steps in mind while working on security

    1)Create a security policy ( Security policy is created from business requirements and risk analysis ).This is the first step one should follow while working on security.

    2) Based on the security policy create a checklist

    The check list is created according to the security policy
    ================check list ================================
    Check List
    #######################
    Software Vulnerabilities
    Kernel Upgrades and vulnerabilities
    Check For any Trojans
    Run chkrootkits
    Checks Ports
    Check for any hidden process
    Use audittools to check system
    Check logs
    Check Binaries
    Check Binaries and RPMS
    Check the email relays
    Check the cron entries
    Check /dev /tmp /var filefolders
    Checked whether Backup is maintained
    Check for unwanted users,groups etc in the system
    Check and Disable unwanted services
    Locate malicious scripts
    Querylog in DNS
    Check whether Backup is maintained
    Check for the suid scripts and nouser scripts
    Check valid scripts in /tmp
    Use intrusion detection tools
    Check the system performance
    Check memory performance ( conduct memtest)

    Note: Please feel free to add the steps which i had missed
    ================end ===========================

    3) With this check list .Please Conduct a security audit

    Format of security audit will be like this
    =====================Fromat ==========================================
    Issues or softwares # Current version ( version used in the server) # Stable Version # Notes :
    ===============================================================

    In this step we will not do any upgrades or security related work on the box.Just find out the vulnerabilities
    Find out the current versions of the software and check if it has any vulnerability .if so please note it down and add it in the notes section of audit report.


    Use tools like Nessus, nikto (Audit tool for web server ) , Chkrootkit ,dsa ( dns security audit tool ) ,memtest and find out the vulnerability

    Notes: The below section is called Security Implementation stage

    4) According to this audit report.We should first correct all software vulnerability ( can use software patches which and eliminate the bugs in the software )

    (a)Upgrade kernel if its old and vulnerable.While compiling,please remove all unwanted options and reduce the size of the kernel

    (b)Upgrade apache and its related software if its vulnerable

    (c)Upgrade php,mysql,proftpd,pure-ftpd,named if its vulnerable.

    (d)upgrade mod_ssl,openssh,openssl etc ( can be done manually or through up2date )

    (e)If the control panel has any bugs .The software vendores should be contacted and they should be informed about this bug.So that they will provide a fast fix to it.

    5) Now the proper security work comes :-D.
    Security is divided into two sections host security and network security.And each these sections has 3 parts common

    (a )Protection

    (b) Detection

    (c) Recovery

    5.1 )Host Security
    ==================
    (a)Please protect your system with password

    (b)Check file systems ( set correct permission and ownerships to files )
    eg: chmod -R 700 /etc/rc.d/init.d/*
    eg: Use rpm -Va to find out the if the rpm is modified or effect

    (c)Apply security patches to vulnerable softwares (eg : patch -p1 < patch file )

    (d)Remove all unwanted ttys and console logins by removing the entry from /etc/securetty

    (e)Check system logs ( eg : /var/log/messages , /var/log/secure etc )

    (f) Set password for boot loaded ( lilo an grub supports it )

    (g)Monitor the system ( nagios or big rother )

    5.2) Network Security
    =====================
    (1)Remove all unwanted users,groups

    (2)use the below script to mail the sysadmin to when another user with uid 0 is created
    =========================================
    The below script will mail user when another user with uid 0 is added
    -------------------------script----------------------------------
    #!/bin/sh
    #
    # This script must be owned by root or at least setuid 0
    # It will scan the system and mail the root user when another user gains uid 0.

    for id in `awk 'FS=":" {if(($3 == 0 && $1 != "root" )) \
    print $1}' /etc/passwd`
    do

    echo 'ALERT Login ID' `echo ${id}` 'has uid 0 !!' `date "+Detected On Date :%D Time :%r"` | mail -s "ALERT: User `echo ${id}` has UID O" [email protected]

    done
    -----------------------------------------------------------------
    ========================================================

    (3) Only allow password with 16 characters ( can be done by making changes in login.def )

    (4)Disable unwanted services,use tcp warappers( unwanted service can be disabled through xinet.d or xinetd.cong ).

    (5)Set timeout ,so that the ideal users will be logged out after a certain amount of time

    (6)Disable all console program acess
    (eg : rm -rf /etc/security/console.app/<service name > )

    (7) Enable nospoof option in /etc/host.conf

    (8) Specify the oder in which the domain name should be resolved ( eg : order bind hosts )

    (9) Lock the /etc/service files so that no one modifies it

    (10)Restrict direct root login ( comment the PermitRootLogin login option in sshd_config )

    (11)Restrict su ,so that only wheel group members are able to su.
    (can use pam or disable the permission of other for the su binary )

    (12)Limits users resources ( can use pam,specify the limits for each user in /etc/security/limit.conf )

    (13) Secure /tmp ( mount /tmp with noexec,nodev,nosuid )

    (14) Hide the server details.For that removes /etc/issues and /etc/issues.net

    (15) Disable unwanted suid and sgid files
    find -type -perm -04000 -o perm 02000


    eg : gpasswed,wall,traceroute etc....

    (16)Allow only ping from a specified location( for monitoring systems to work ).Use iptables for that

    (17) Take preventive measures against DOS,ping to death etc..Use the below script for that
    http://www.webhostingtalk.com/showth...hlight=blessen

    (18)Install firewall ( eg apf and iptables )

    (policy-->allow the ports which the box needs and block all other ports )
    Eg: http://www.rfxnetworks.com/
    Eg: http://www.yolinux.com/TUTORIALS/Lin...rkGateway.html

    (19) Install intrustion detection ( eg install tripwaire or aide )

    eg: http://www.cs.tut.fi/~rammer/aide.html
    eg:http://www.redhat.com/docs/manuals/l...-tripwire.html

    (20) Install sxid to keep an eye on suid and sgid script.
    Link: http://linux.cudeso.be/linuxdoc/sxid.php

    (21) Restrict ssh to specific ips and and user ( i suggest go for key authentication using passphrase)

    (22)Install logcheck to check the logs

    (23) Install tmpwatch to delete the unused files from /tmp directory

    (24) Install and setup portsentry and configure it to use iptables to block ips

    (25)Install mod_security and mod_dosevasive to safe gurad apache

    6) Submit a Status report
    ========================
    Notes: It will contain what all you have done on the server to secure it as per audit

    7) Testing and Optimization phase
    ==========================

    Use the tools likes nessus ,nikto,nmap etc to do a penetration test and see how well your server is .Also do a stress test etc.


    Optimization
    ==========
    1) Harddisk -->enable DMA for faster disk read

    2) Limit user process

    3) For mysql use these settings for good performance
    =======================mysql settings in my.cnf======================
    port = 3306 -- i would always suggest to change the port
    skip-locking
    set-variable = max_connections=100
    set-variable = max_user_connections=20
    set-variable = key_buffer=16M
    set-variable = join_buffer=4M
    set-variable = record_buffer=4M
    set-variable = sort_buffer=6M
    set-variable = table_cache=1024
    set-variable = myisam_sort_buffer_size=32M
    set-variable = interactive_timeout=100
    set-variable = wait_timeout=100
    set-variable = connect_timeout=10
    set-variable = thread_cache_size=128
    ==============================================

    4) For proftpd use this settings
    ==========================ftp settings in proftpd.conf=======================

    TimeoutIdle 600
    TimeoutNoTransfer 600
    TimeoutLogin 300
    MaxInstances 30
    MaxClientsPerHost 2
    ==================================================================

    5) Disabling the logging of access time in partition where access time always changes ( eg /var) will improve performance
    for thst just mount that partition with noatime )

    6) Do not create latge firewall policies ,it will delay packets.

    7)Setting file sytem parameters to correct values will often provide good performance.

    8) While compiling always use these options
    for i686
    CFLAG=-09 -for best optimization
    -funroll-loops
    -ffast-math
    -mcpu=< your processor type >
    -march=< your processor type >
    -fomit-frame-pointer

    For i586
    ======
    CFLAG=-03
    -funroll-loops
    -ffast-math
    -mcpu=< your processor type >
    -march=< your processor type >
    -fomit-frame-pointer


    Hope this helps you....

    <edit>signature removed</edit>
    Last edited by choon; 03-14-2004 at 09:20 AM.

  39. #39
    Join Date
    Aug 2003
    Location
    Gods Own Country
    Posts
    869
    I have made the above post just because of my "PASSION FOR SECURITY"

    its driven by passion.....

    <edit>signature removed</edit>
    Last edited by choon; 03-14-2004 at 12:05 PM.

  40. #40
    Join Date
    Mar 2003
    Location
    Kansas City, MO
    Posts
    66
    When you mention hosts.allow and you say:

    sshd: host.ip.number.1,host.ip.number.2,etc

    Do you mean
    sshd: 204.1.2.1,204.1.2.3,204.1.2.3

    I entered the IPS for my box, and then it wouldn't let me login. Luckily I just restarted the net svc and stayed SSH'd in. If I had rebooted, I would have been furious.

    Can you show me an example on this one?
    Promethyl Corporate.
    Webhosting and Development.
    http://promethyl.com/

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •